{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Sharing Information with Third-Party Organisations Policy

 

1. Purpose

The purpose of this policy is to outline {{org_field_name}} approach to sharing information securely and appropriately with third-party organisations. Effective information-sharing ensures continuity of care, safeguarding, compliance with regulatory standards, and operational efficiency while protecting service user confidentiality.

The policy is designed to ensure that information is shared lawfully, fairly, transparently, securely and only where necessary and proportionate. It also ensures that information-sharing decisions are recorded clearly so that the provider can evidence safe, effective, caring, responsive and well-led care.

This policy supports compliance with the UK General Data Protection Regulation, the Data Protection Act 2018, the Data (Use and Access) Act 2025 as commenced, the Human Rights Act 1998, the Common Law Duty of Confidentiality, the Care Act 2014, the Mental Capacity Act 2005, the Health and Social Care Act 2008, the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, the Care Quality Commission (Registration) Regulations 2009, CQC Fundamental Standards, CQC assessment framework quality statements, and relevant Information Commissioner’s Office guidance including the Data Sharing Code of Practice.

2. Scope

This policy applies to:

• All employees, including care workers, administrative staff, and management.
• Service users and their representatives, ensuring their rights are upheld.
• Third-party organisations, including healthcare providers, local authorities, regulators, and safeguarding bodies. Third-party organisations may include, but are not limited to: GPs, district nurses, hospitals, pharmacists, ambulance services, local authorities, integrated care boards, safeguarding adults boards, police, CQC, commissioners, advocates, attorneys, deputies, appointees, family members where authorised, payroll providers, IT system providers, care planning software providers, insurers, legal advisers, auditors and training providers.
• Data protection officers and legal representatives, ensuring adherence to legal and ethical responsibilities.

It covers:

• Legal and regulatory compliance.
• Situations requiring information-sharing.
• Consent, confidentiality, and safeguarding.
• Data security and record-keeping.
• Responsibilities of staff and management.
• Handling breaches and complaints.

2.1 Data-sharing roles

Before information is shared, the organisation must identify whether the third party is acting as:

• an independent controller;
• a joint controller; or
• a processor acting only on documented instructions.

Controller-to-controller or joint-controller sharing must be supported by an appropriate data-sharing arrangement where the sharing is regular, planned or high risk. Processor arrangements must be supported by a written processor agreement that meets UK GDPR requirements.

3. Legal and Regulatory Framework

This policy aligns with the following legislation, regulations and guidance, as applicable to domiciliary care services in England:

• UK General Data Protection Regulation and Data Protection Act 2018 — including the data protection principles, lawful bases for processing, special-category data conditions, data subject rights, security, accountability and breach-reporting requirements.
• Data (Use and Access) Act 2025 — which amends aspects of UK data protection law, including areas such as subject access, recognised legitimate interests, complaints and responsible data sharing, as provisions are commenced.
• Common Law Duty of Confidentiality — requiring confidential information to be shared only with consent, another lawful basis or an overriding public-interest justification.
• Human Rights Act 1998 — including respect for private and family life under Article 8.
• Health and Social Care Act 2008 and Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 — including CQC Fundamental Standards.
• Regulation 9: Person-centred care — people and relevant persons must be involved in assessments and decisions and provided with information they reasonably need.
• Regulation 11: Need for consent — care and treatment must only be provided with lawful consent unless another legal authority applies.
• Regulation 12: Safe care and treatment — where responsibility for care is shared or transferred, the provider must work with others to ensure timely care planning for the person’s health, safety and welfare.
• Regulation 13: Safeguarding service users from abuse and improper treatment — safeguarding concerns must be acted on without delay, including referral to the appropriate body where required.
• Regulation 16: Receiving and acting on complaints — complaints about information-sharing must be investigated and used to improve practice.
• Regulation 17: Good governance — the provider must maintain secure, accurate, complete and contemporaneous records and operate systems to assess, monitor and improve quality, safety and risk management.
• Regulation 20: Duty of candour — where a notifiable safety incident occurs, relevant persons must be informed, supported, given an apology and provided with written information as required.
• Care Quality Commission (Registration) Regulations 2009 — including statutory notifications to CQC for relevant incidents such as abuse or allegations of abuse, serious injury, police involvement and events affecting safe service delivery.
• Care Act 2014 — including safeguarding duties and information-sharing necessary to protect adults with care and support needs from abuse or neglect.
• Mental Capacity Act 2005 — including best-interests decision-making where a person lacks capacity to consent to information sharing.
• Freedom of Information Act 2000 — where applicable, for example where information is held on behalf of a public authority or where requests are handled by a public-sector commissioner.
• ICO Data Sharing Code of Practice and other ICO guidance — including the requirement to share personal information in a fair, safe, transparent and accountable way.

3.1 Lawful basis for sharing information

The organisation will identify and record a lawful basis before sharing personal data. Depending on the circumstances, the lawful basis may include:

• consent;
• contract;
• legal obligation;
• vital interests;
• public task; or
• legitimate interests.

Where the information includes health, care, safeguarding, ethnicity, religion, disability or other special-category data, the organisation will also identify an Article 9 UK GDPR condition and, where required, a Data Protection Act 2018 Schedule 1 condition.

Consent will not be relied upon where it is not freely given, specific, informed and capable of being withdrawn. In many care, safeguarding, contractual, regulatory or emergency situations, information may be shared without consent where there is another lawful basis and the sharing is necessary, proportionate and recorded.

Where special-category data or criminal-offence data is processed under a Schedule 1 condition that requires an Appropriate Policy Document, the organisation will maintain and follow such a document.

4. Situations Requiring Information-Sharing

Information may need to be shared with third-party organisations in the following circumstances:

• Care planning and coordination — including referrals, reviews, hospital admission or discharge, changes in need, falls, deterioration, medicines, nutrition, hydration, mobility, pressure care, continence, mental health and end-of-life care.
• Shared or transferred care — where responsibility for care is shared with, or transferred to, GPs, district nurses, hospitals, pharmacists, ambulance services, local authorities, commissioners or other professionals.
• Safeguarding — including concerns about abuse, neglect, self-neglect, financial abuse, domestic abuse, coercion, modern slavery, discriminatory abuse or organisational abuse.
• Mental capacity and best interests — including sharing relevant information with attorneys, deputies, advocates, IMCAs, appointees or professionals involved in best-interests decisions.
• Regulatory compliance — including CQC inspections, enquiries, statutory notifications, audits, enforcement activity and provider information requests.
• Commissioning and funding — including local authority or NHS-funded care assessments, contract monitoring, quality assurance and financial reviews.
• Emergency situations — including risk of serious harm, medical emergency, missing person, fire, flood, infection outbreak, police involvement or ambulance attendance.
• Complaints, incidents and duty of candour — including sharing information needed to investigate concerns, provide explanations, apologise where required and prevent recurrence.
• Service improvement — including anonymised or pseudonymised data where possible for audits, trend analysis, learning, staff supervision and quality improvement.
• Legal claims or proceedings — including requests from courts, solicitors, insurers, coroners or law enforcement where lawful and proportionate.

5. Consent, Confidentiality, and Safeguarding

Consent will be obtained where consent is the appropriate lawful basis for sharing. However, personal information may be shared without consent where there is another lawful basis, where sharing is necessary and proportionate, and where one or more of the following applies: safeguarding, risk of serious harm, medical emergency, legal obligation, regulatory requirement, vital interests, duty of candour, contractual care delivery, public task, legitimate interests, crime prevention or a court/legal requirement.

Where a person may lack capacity to consent to information sharing, staff must follow the Mental Capacity Act 2005. Capacity must be assessed for the specific decision at the specific time. If the person lacks capacity, information may be shared only where it is in the person’s best interests, legally authorised, necessary and proportionate. Staff must consider attorneys, deputies, advocates, advance decisions, known wishes and the least restrictive option.

• Information is only shared on a need-to-know basis, ensuring data minimisation.
• All shared information must be accurate, up-to-date, and relevant to its purpose.
• Safeguarding concerns override confidentiality when a service user is at risk of harm.

• Staff must not promise absolute confidentiality. They must explain that information may need to be shared to keep the person or others safe, meet legal or regulatory duties, deliver care, investigate concerns or respond to emergencies.
• Where practicable and safe, the person should be informed about what information will be shared, with whom, why, and what may happen as a result.
• If the person objects to sharing, the objection must be considered and recorded. Information may still be shared where the risk, legal duty or public interest justifies disclosure.
• Safeguarding concerns must be referred without delay in line with the local safeguarding adults procedures and the organisation’s Safeguarding Adults Policy.
• Where the concern may meet the threshold for a CQC statutory notification, the Registered Manager must ensure the relevant notification is submitted to CQC.

5.1 Information-sharing decision checklist

Before sharing personal information, staff must consider and record:

1. What information is being requested or proposed for sharing?
2. Who is requesting it and have they been verified?
3. What is the purpose of sharing?
4. What is the lawful basis under UK GDPR?
5. Is special-category data involved, and what Article 9 / DPA 2018 condition applies?
6. Is consent required or appropriate? If consent is not used, what is the justification?
7. Is the sharing necessary, proportionate and in the person’s interests or the wider public interest?
8. Can less information be shared to achieve the same purpose?
9. Is the information accurate, relevant and up to date?
10. Is the sharing secure?
11. Does the sharing need to be recorded in the person’s care record, incident record, safeguarding record, complaints record, data-sharing log or breach log?
12. Does the matter require escalation to the Registered Manager, DPO/data protection lead, safeguarding lead, local authority, CQC, police, commissioner or ICO?

5.2 Sharing information with family members, representatives and others

Staff must not assume that family members, friends or informal carers are automatically entitled to confidential information. Before sharing information, staff must check:

• whether the person has consented to information being shared with that individual;
• whether the individual has legal authority, such as lasting power of attorney, deputyship, appointeeship or other formal authority;
• whether the person lacks capacity and sharing is in their best interests;
• whether sharing is necessary to prevent harm or support safe care;
• whether the information requested is relevant and proportionate.

Where there is a dispute between relatives, concerns about coercion, financial abuse, domestic abuse or undue influence, staff must escalate to the Registered Manager or safeguarding lead before sharing information unless urgent action is needed to prevent harm.

6. Data Security and Record-Keeping

The organisation will maintain secure, accurate, complete and contemporaneous records relating to people using the service, staff and management of the regulated activity.

Information must be shared securely using approved methods only. Approved methods may include encrypted email, secure care-planning systems, secure portals, password-protected documents, verified telephone calls, secure NHS/local-authority systems, recorded professional handovers or other authorised systems.

Staff must:

• verify the identity and authority of the person or organisation requesting information;
• share only the minimum necessary information;
• check that information is accurate, relevant and up to date before sharing;
• mark confidential information appropriately;
• avoid using personal email, personal messaging apps or unauthorised devices;
• avoid discussing confidential information where they may be overheard;
• report misdirected emails, lost devices, unauthorised access or suspected breaches immediately;
• record what was shared, with whom, when, why, by what method, and who authorised it.

Records of information sharing must be kept in the appropriate record, which may include the care record, daily notes, incident record, safeguarding record, complaints file, CQC notification record, data-sharing log, breach log or management audit file.

Records must be retained and destroyed in accordance with the organisation’s retention schedule and Records Management Policy.

6.1 Data-sharing agreements and processor contracts

Regular, planned, repeated or high-risk sharing with another controller or joint controller must be supported by a documented data-sharing agreement or protocol where appropriate. This should set out:

• the purpose of sharing;
• the categories of information shared;
• the people whose information is shared;
• the lawful basis and special-category condition;
• roles and responsibilities of each organisation;
• security arrangements;
• retention arrangements;
• arrangements for data subject rights;
• breach reporting and escalation;
• review dates;
• points of contact.

Where a third party processes personal data only on behalf of the organisation, such as an IT provider, payroll provider or care planning software provider, a written processor contract must be in place before processing begins.

7. Responsibilities of Staff and Management

Provider / Nominated Individual

• Ensures effective governance systems are in place for lawful, safe and secure information sharing.
• Ensures suitable policies, systems, contracts, audits and training are maintained.

Registered Manager

• Has day-to-day responsibility for implementation of this policy.
• Ensures staff understand when and how to share information.
• Ensures safeguarding referrals, CQC notifications, duty of candour actions and commissioner notifications are completed where required.
• Ensures records are accurate, complete, contemporaneous and securely maintained.

DPO / Data Protection Lead

• Advises on lawful basis, special-category data, data-sharing agreements, data protection impact assessments, breaches, subject access requests and complaints.
• Maintains oversight of the data-sharing log, breach log, DPIAs and data protection audits.

Safeguarding Lead

• Advises staff where information sharing relates to abuse, neglect, self-neglect, domestic abuse, financial abuse, coercion or other safeguarding concerns.
• Ensures referrals are made in line with local safeguarding adults procedures.

Care Workers and Office Staff

• Follow this policy and associated procedures.
• Share information only when authorised, necessary and proportionate.
• Record information-sharing decisions accurately.
• Report concerns, errors, breaches or unsafe information-sharing immediately.

Third-party suppliers and contractors

• Must comply with contractual confidentiality, security and data protection obligations.
• Must report any actual or suspected breach immediately in accordance with contractual requirements.

8. Handling Data Breaches, Incidents and Complaints

A personal data breach includes any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Examples include misdirected emails, lost paperwork, lost or stolen devices, unauthorised access to care records, verbal disclosure to the wrong person, cyber incidents, ransomware, inappropriate staff access or sharing excessive information.

Staff must report any actual or suspected breach immediately to the Registered Manager and DPO/data protection lead. Staff must not attempt to conceal or resolve a breach without reporting it.

The Registered Manager and DPO/data protection lead will assess:

• what happened;
• what personal data was involved;
• whether special-category data was involved;
• who is affected;
• likely risks to people’s rights and freedoms;
• whether the ICO must be notified;
• whether affected individuals must be informed;
• whether CQC, commissioners, safeguarding, police, insurers or other bodies must be informed;
• immediate containment and corrective action.

Where a breach is likely to result in a risk to people’s rights and freedoms, the organisation will report it to the ICO within 72 hours of becoming aware, where feasible. Where a breach is likely to result in a high risk to individuals, affected individuals will be informed without undue delay.

All breaches, including breaches not reported to the ICO, must be recorded in the breach log with the decision-making rationale.

Complaints about information sharing, confidentiality, access to records or data protection rights will be handled in line with the Complaints Policy and data protection law. The complainant will be told the outcome and any actions taken, and will be informed of their right to contact the ICO where appropriate.

8.1 CQC statutory notifications
Where information-sharing relates to an incident that may require a statutory notification, the Registered Manager must ensure the relevant CQC notification is completed without delay. This may include, but is not limited to:

• abuse or allegations of abuse;
• serious injury;
• police involvement in an incident;
• death of a person using the service where notifiable;
• events that stop or may stop the service running safely and properly;
• unauthorised absence where applicable;
• outcome of an application to deprive a person of liberty where applicable.

The CQC notification record must include what was notified, when, by whom, the acknowledgement/reference number, and any follow-up actions required.

Where an incident involves both a personal data breach and a notifiable CQC/safeguarding incident, the organisation must consider all reporting routes separately: ICO, CQC, local authority safeguarding, commissioner, police, insurance and duty of candour.

8.2 Duty of candour

Where an information-sharing issue, data breach, confidentiality breach, safeguarding matter or other incident is also a notifiable safety incident, the organisation will follow the Duty of Candour Policy.

The relevant person must be informed as soon as reasonably practicable, provided with reasonable support, given a truthful account of known facts, advised of further enquiries, given an apology where required, and provided with written follow-up.

All duty of candour communications and attempts to contact the relevant person must be recorded and kept securely.

9. Monitoring, Reviewing, and Improving Practices

The Registered Manager and DPO/data protection lead will monitor compliance with this policy through:

• audits of information-sharing records;
• audits of care records to check accuracy, completeness and contemporaneous recording;
• review of safeguarding referrals and CQC notifications;
• review of data breaches, near misses and complaints;
• spot checks of secure email, digital care systems and access permissions;
• review of data-sharing agreements and processor contracts;
• staff supervision, competency checks and training records;
• feedback from people using the service, representatives, staff, commissioners and professionals.

Audit findings will be recorded, analysed and used to improve practice. Actions will be allocated to named persons with timescales and reviewed until completed.

10. Policy Review and Updates

This policy will be reviewed at least annually and sooner if:

• UK GDPR, Data Protection Act 2018, Data (Use and Access) Act 2025 commencement, CQC regulations, ICO guidance or safeguarding guidance changes;
• CQC assessment framework guidance or quality statement expectations change;
• an incident, breach, complaint, safeguarding concern or audit identifies a weakness;
• new digital systems, care planning software, suppliers or data-sharing arrangements are introduced;
• commissioner or contractual requirements change;
• staff, service users, representatives or professionals identify improvement needs.

Staff will be informed of material changes and training will be updated where required.

11. Conclusion

By implementing this policy, the organisation ensures that information is shared lawfully, safely, securely and in a person-centred way. The organisation recognises that appropriate information sharing is essential to safe care, safeguarding, continuity of care, partnership working, regulatory compliance and service improvement.

Staff must balance confidentiality with the need to protect people from harm, support their care, comply with legal and regulatory duties, and act openly and transparently. All information-sharing decisions must be necessary, proportionate, recorded and subject to effective governance.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.